Professional Documents
Culture Documents
Security Automation and Orchestration 2147 1538790978044001r9ox
Security Automation and Orchestration 2147 1538790978044001r9ox
Zach Sivertson
Sr. Director, Product Management – Symantec
October 2018
© 2018 SPLUNK INC.
Forward-Looking Statements
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved.
© 2018 SPLUNK INC.
The Problem
Sandboxing Systems are Slow
The Problem
Most Sandbox Systems are Not Real-Time
The Problem
Too Many Alerts; SoC Teams are Overwhelmed
▶ Sandbox systems can create lots of alerts that aren’t prioritized or automated
• Many vendors want systems deployed in-front Proxy or Firewall to “see everything”
▶ Don’t know right away if you need to take action
• Did the file reach the endpoint?
• How do I prioritize thousands or alerts?
The Problem
Too Many Alerts; SoC Teams are Overwhelmed
Investigated 1.9%
© 2018 SPLUNK INC.
The Problem
Sandbox Responses are Not Automated
▶ SoC Teams get thousands of sandbox alerts that require manual verification:
• Did this file get blocked by some downstream security device?
• How risky is this incident?
• Is it more important than other items in my queue?
• Should I act now?
• How should I remediate this issue?
© 2018 SPLUNK INC.
Tip #1
Deploy Sandbox Behind Web Proxy
As a security administrator…
When I receive an alert from the sandbox I want to know what endpoints across my entire network have
seen these same IoC’s. This will shorten my indecent response time by preventing my team from performing
unnecessary work to confirm if the malicious sample detonated on the endpoint.
Workflow:
1. Sandbox discovers a malicious sample & sends data to Phantom
2. Phantom queries endpoint to verify IoC across entire endpoint deployment (File Hash, Registry changes,
URL, process name, registry changes etc.)
3. The list of infected endpoints are then added to the sandbox report showing the admin not only what
happened in the sandbox but what endpoints are infected
Workflow:
1. Sandbox discovers a malicious sample with high certainty and send data to Phantom
2. Phantom reaches out to endpoint and blacklists that hash on all endpoints
3. This prevents the spread of this file to other endpoint devices
Workflow:
1. Sandbox discovers a malicious sample and sends data to Phantom
2. Phantom queried endpoint to verify IoC on endpoints (File Hash, Registry changes, URL, process name,
registry changes etc.)
3. The list of infected endpoints are then added to the sandbox report showing the admin not only what happened
in the sandbox, but what endpoints are infected
4. Malicious samples are deleted, processes stopped, call back traffic blocked, registry keys changed in
order to help mitigate the damage until the device can be re-imaged
5. Automate contacting of employee to notify them that their machine needs to be re-imaged and to stop by the I.T.
Help Desk (Email, Slack, SMS etc.)
Tip #3 Demo
Tip # 3 Automate and Orchestrate
© 2018 SPLUNK INC.
© 2018 SPLUNK INC.
2. Pre-filter Sandbox
• Reduce alert noise
• Save on deployment cost
Thank You
Don't forget to rate this session
in the .conf18 mobile app